I am teaching/mentoring the SANS 560 course starting October 7, 2010. Use the discount code “mentor15″ to get a 15% discount when signing up.
Signup: http://www.sans.org/info/55868
Here is the SANS announcement:
Starting October 7th, SANS will be running Security 560: Network
Penetration Testing and Ethical Hacking in Kansas City, MO. This course
will be taught by SANS Mentor Daryl Fallin.
Attendees will learn how to perform detailed reconnaissance, learning
about a target's infrastructure by mining blogs, search engines, and
social networking sites. Students will utilize numerous tools in hands-on
exercises in our lab-environment. The class also discusses how to prepare
a final report, tailored to maximize the value of the test from both a
management and technical perspective. For complete event details visit
http://www.sans.org/info/55868.
When: October 7 - December 16, 2010 (Class meets once a week from
6:00-8:00PM on Thursdays)
CPEs: 36
GIAC Certification: GIAC Certified Penetration Tester (GPEN)
Tuition: $2695, which is a $400 savings when you register early at
http://www.sans.org/info/55868
For group discounts please contact mentor@sans.org.
What is the SANS Mentor Program: http://www.sans.org/info/57693
The SANS Mentor Program offers you local, live training over the course of
ten weeks. This format allows students to understand, apply and digest
the material each week and return with any questions at the next class
session. Mentor classes are smaller classes which gives students the
opportunity to directly interact with each other and the Mentor in a
hands-on environment.
With local training from SANS Mentor you save on travel expenses, time
away from work, family and save on average 25% on the tuition cost. If
you have a limited training budget this SANS Mentor class will get you the
knowledge you need at savings you can use.
If this sounds like the kind of local, live training you can use please
register today at http://www.sans.org/info/55868.
Sometime around 1999 I realized that there are many instances where you will want to browse the Internet without the ISP, hotel or even company you work for being able to see the sites you visit. This is not a unique idea and has now become almost a mainstream activity of security minded individuals. But, I wanted things to be simple so I created a small java program to do the client side work for me, that not only creates an ssh tunnel when the outbound port 22 is open, but can also work through a proxy or firewall that only allows SSL traffic through to the Internet.
What you need:
Server that has an SSH server and a proxy. (I am using the squid proxy)
Ability to enable SSH to listen to port 443 (simple sshd_config setting on linux using openssh)
If your company, hotel, etc uses an authenticated proxy. You will need to know the IP address of the proxy and the credentials used.
I am using a server that is hosted by linode.com. This server is a CentOS 5.4 server with a very basic linux install with openssh server and squid installed.
First you need to make sure that your ssh server is working. As long as you know it answers on port 22 as it does by default then you are ready to move on to the next step.
Make the SSH server listen on port 443.
Edit the /etc/ssh/sshd_config (location on CentOS 5.4)
Uncomment the line ‘#Port 22’ if it is commented.
Add line ‘Port 443’
Your sshd_config file should now have the following lines:
Port 22
Port 443
Restart the ssh server.
On CentOS: service sshd restart
On most other linux systems you can use: /etc/init.d/sshd restart
Try to connect to your ssh server on port 443
# ssh -l username -p 443 10.10.10.10 (substitute your username and IP address as appropriate)
If you can connect to your ssh server on port 443 then you are ready to go onto the next step.
Using the LiberSSH2.jar client.
Download the Java SSH client LiberSSH2.jar from here.
Run the LiberSSH2.jar file. This should work with Mac, Windows or Linux. The LiberSSH2.jar file is a runnable jar, so you should be able to just run it by double clicking.
If it does not run, then try the following ‘java -jar LiberSSH2.jar’
Detail information about the client fields:
Hostname: Server that is running your ssh server and proxy
Username: Username for above server
Password: Password for above username
Proxy Server: This is if you have a local proxy or firewall that you must use to get out to the internet.
Proxy Port: Proxy port that the above Proxy server uses.
Proxy Username: Username for the above proxy server. This is needed if your company proxy server uses an authenticated proxy server.
Proxy Password: Password for above Proxy Username
Local Port: This is the port that your tunnel will be bound to, so that when you hit this port on localhost (127.0.0.1) it will be directed over the tunnel to the remote port on your server on port 3128. (I will allow this to be changed in future releases)
Use Proxy checkbox: Check this if you have to use a proxy to get out of your current network (work environment).
Login Button: Press to login
Logout Button: Press to logout.
Sometimes during a wireshark or sniffer network capture you will come across communication where the windows system will use Basic Authorization to authenticate to the windows domain. This often looks like “Proxy-Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=”. This happens to be authentication to a proxy server.
Here is a simple command line perl to decode the base64 encoded username and password:
perl -e 'use MIME::Base64; $data = decode_base64("dXNlcm5hbWU6cGFzc3dvcmQ="); print "Encoded $data\n";'
And if for some reason you want to do a base64 encoding:
perl -e 'use MIME::Base64; $data = encode_base64("username:password"); print "Encoded $data\n";'
Encoded dXNlcm5hbWU6cGFzc3dvcmQ=
In OpenSSH to create a local port that forwards to a remote port without creating a connection to the shell.
ssh -N -l johndoe -i .ssh/id_dsa -L45432:0.0.0.0:5432 191.168.1.1
The above command uses the identity file id_dsa and creates a local port 45432 that forwards to the remote system on port 5432 (postgres).
This will allow the local client to connect with postgres on local port 45432 and run queries against the remote database over the encrypted SSH tunnel. This is a very secure method for database connectivity.
To create an identity file:
ssh-keygen -t dsa -b 2048
Do not enter a password if you are going to use this to connect without user interaction. If you do this you must keep the key protected.
Once you have the keys take the public key (id_dsa.pub) and add it to the authorized_keys file of the user you are connecting as:
For instance if the user is johndoe on the remote system go to johndoe’s home directory, something like /home/johndoe and then to the .ssh directory ( /home/johndoe/.ssh ) and add the id_dsa.pub key to the end of the authorized_keys file. If the file does not exist create it and add the key on the end. They key is only one line so make sure that it doesn’t span more than one line.
Make sure to make the file read/write only for the owner: chmod 600 authorized_keys
Now you can log in or use the above command to create a local port to tunnel to a remote port.
Of course to log in: ssh -l johndoe -i /home/johndoe/.ssh/id_dsa 192.168.1.1
Click Here for full article: Wireless Security: A Partial Glossary of Wireless Security Terms
Get csv output of source and destination IP addresses from a pcap (wireshark or tcpdump) capture file.
tshark -r file.pcap -T fields -E separator=, -e ip.src -e ip.dst
Creates a file similar to:
192.168.1.105,192.168.1.120
192.168.1.105,192.168.1.120
192.168.1.120,192.168.1.105
192.168.1.120,192.168.1.105
72.14.247.83,192.168.1.105
192.168.1.105,72.14.247.83
72.14.247.19,192.168.1.105
192.168.1.105,72.14.247.19
192.168.1.105,74.53.76.3
74.53.76.3,192.168.1.105
192.168.1.105,72.14.247.83
72.14.247.83,192.168.1.105
Then if you have afterglow installed you can create a visualization of the source and destination information by doing the following:
(from the $HOME/afterglow/src/perl/graph directory)
tshark -r file.pcap -T fields -E separator=, -e ip.src -e ip.dst | perl afterglow.pl -c color.properties > file.dot
This creates a filter of the data for drawing a direct graph using neato.
Now using neato create a gif file to display a visualization of the data.
neato -Tgif -o test.gif ./file.dot
I am not a big Citrix fan, but this is an idea that I think more and more companies need to start looking at. Why not allow your employees to bring their own computers (laptops) to work or use at home (telework) and restrict access through methods like Citrix or some other type of VPN/VM Farm so that your data and primary systems are protected and you don’t have to worry about what the employee is doing on their machine and you don’t have to worry about fixing their system either. It will be the employees responsibility to make sure that they have the technology required to do their job.
“The Citrix program includes a $2100 stipend to buy a laptop and a 3 year service plan. the workers essentially take on the company’s technology purchasing and maintenance responsibilities.”
http://www.technologyreview.com/Wire/21433/?nlid=1368&a=f
Here are some links that I have found useful when using gnuplot:
Using GNUPlot inside CGI scripts
gnuplot / plot (5E)
Clustered/Stacked Filled Bar Graph Generator
Data visualization using Perl/Tk
CGI-Perl, GnuPlot, etc – L529 Kind of a “bits n pieces” Tutorial!
Recently there has been an increased interest in teleworking (working from home). This is no doubt because of the increase in gas costs. Most everyone’s fuel cost has at least doubled in the last year or so. But, although there is an increase interest from the employee side of things the employer does not always see the benefit except that his employee just doesn’t want to drive to work everyday. Well I found these facts about teleworking that should shed some light on the advantage that the employer gets from teleworking.
